ShopMonkey is an early stage scaleup that is changing the game for the automotive industry, delivering a SaaS-based platform for after-market repair. Having raised more than $100M+, serving more than 5,000 customers and having nearly 200 employees, the team at ShopMonkey understood they would need to level up their engineering and security practice to unleash their next phase of growth. Providing both front office services such as Point of Sale (PoS), transactions, and invoicing, as well as back office management––everything from inventory to accounting, through workforce management, their software stack had both compliance and high-scale delivery demands.
Jeff Haynie joined ShopMonkey as the CTO, following their Series B round, and like many software stacks that rapidly achieve product-market fit, he understood that what got them to 5K+ customers, likely wouldn’t scale to the next 10K customers. They needed to do a team restructure, as well as refactor their technology stack to be able to fuel the next phase of their product’s evolution. With 20+ years leading startup companies, Jeff understood the challenges he would face on both the product and design side, as well as delivery––which he came in to overhaul (just like a chassis!)
While coming from 25+ years of hands-on technology experience, having touched security as needed across a diversity of technical roles, security was not his main expertise, and he needed to explore the tools that could help him level up their security practice and culture. Jit was introduced to Jeff and the team, and he quickly “fell in love” with the novel approach to tackling end-to-end security.
A Security Engine Overhaul for F1 Speed and Scale
A first order challenge he needed to address was the refactoring of the product architecture by centralizing and consolidating their tooling. To do so, they leveraged Github to power this move, including building continuous release and automation through CI/CD pipelines, and reducing as much manual and human intervention as possible. Once this was completed, it was clear a similar consolidation would be required on the security tooling side.
When Jeff joined ShopMonkey, the team was using a myriad of security tools, where the biggest and known challenge in this ecosystem is that all of the tools cover isolated parts of the security requirements, and do not work together at all. Aside from the overhead of managing the entire fragmented security toolchain, there was a huge backlog of security tasks already in Jira that without greater guidance, it was clear they weren't going to ever close.
He found the team working with lots of dashboards that simply were not actionable, suffering from dashboard fatigue, spending a lot of money on security, and still feeling like they’re not moving the needle on security. It was clear that they would continue to be ineffective with security if all they have are lots of people focusing on perimeter security and traditional security, versus being in the split stream of how developers actually work.
The team quickly understood that without having security be embedded into real dev-native workflows, it will always remain an afterthought, and require someone to try and dig through the code after vulnerabilities have already been deployed and pose risk to the organization.
“When I serendipitously encountered Jit, I quickly understood that this is exactly how I wanted the team to work–with first-party tooling, inside git and code, way before landing in production.”
Once vulnerabilities land in production, it’s too late. It becomes a needle in a haystack to actually remediate, it’s nearly impossible to dig through the code after the fact. While no tool will catch 100%, even if you can get to 80-90% coverage for catching vulnerabilities before they’re deployed to production, you’re making a huge impact.
FinSecOps for the Brave!
By using Jit, it became possible to decommission some of the costly commercial tools they had been using (4-5 tools) and stop PoC processes for tools they were looking into before adopting Jit. Jit was everything they had been looking for, one master system that orchestrates other great tools, with a declarative way of setting up a security plan, and eliminating the need to look at any other dashboards.
“All of the other tools qualified really functioned as their own isolated island, and didn’t work inside the PLC (product lifecycle) that we used every day.”
With teams already using Slack and Github, this basically covered the engineering organization from an alerting and remediation perspective, and enabled them to only have to go into the dashboard for general monitoring and compliance purposes.
Tooling to Support Better Security Culture
One of the greatest challenges the team had during the retooling and hiring was a cultural one, with difficulty around building a better culture of security-mindedness. Historically there were challenges around committing hard-coded secrets and other anti-patterns that Jeff was looking to eliminate, and Jit served as a tool to bolster the security culture Jeff was trying to instill in the team.
When code with poor security practices was migrated from the legacy codebase to the new codebase, Jit immediately flagged it, and prevented it from being merged to the new codebase. The fact that an independent tool actually created a self-reinforcing cultural shift, helped the developers become much more in tune with the changing culture by having the tool help them stay on the right security path, and even improve their security decisions going forward. Now every new engineer onboarded comes into a reality where Jit is running on both their frontend and backend repos, and has governance and policy guardrails in place that have become the accepted standard for the entire engineering organization.
“Jit provides continuous security by enabling my team to find and fix vulnerabilities in-PRs without slowing them down or expecting them to be security experts”
A Golden Path to SOC2 and PCI:DSS Compliance
Looking ahead, as the company grows from 5000+ SMB customers with single shops, to larger and geographically distributed Enterprise customers, achieving compliance with industry standards becomes a critical requirement for the company. This includes standards such as SOC2 and PCI:DSS, for their PoS support.
As they undergo SOC2 this year, they are set up for success with a well-documented and better secured system, where Jit is one more place to be able to direct auditors to, and provide the necessary evidence gathering, monitoring, and remediation these processes require, in a single platform. As they mature through this process, Jit was extremely helpful with providing the tooling and controls to help them rapidly achieve the necessary compliance.
Continuous Security on Cruise Control
Adopting Jit was painless and provided all of the benefits they were looking for in their cloud-native security tooling–from the necessary controls from code to cloud, through the security culture reinforcement, and single pane of glass for all of their security needs. Scaling up requires not only processes of refactoring systems for growth, but also cultural shifts, alongside better processes and workflows.
Jit helped the ShopMonkey team with this cultural and technical shift that would enable them to run their business securely in the long term, with the peace of mind they needed, knowing they’re continuously covered across their stack.